提交 6d1acf71 编写于 作者: D Daniel P. Berrange 提交者: Eric Blake

Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296)

The 'stats' variable was not initialized to NULL, so if some
early validation of the RPC call fails, it is possible to jump
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
This is a security flaw, since the API can be called from a
readonly connection which can trigger the validation checks.

This was introduced in release v0.9.1 onwards by

  commit 158ba873
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Wed Apr 13 16:21:35 2011 +0100

    Merge all returns paths from dispatcher into single path
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit e7f400a1)

Conflicts:
	daemon/remote.c - context
上级 a338c40b
......@@ -1127,7 +1127,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED,
remote_domain_memory_stats_ret *ret)
{
virDomainPtr dom = NULL;
struct _virDomainMemoryStat *stats;
struct _virDomainMemoryStat *stats = NULL;
int nr_stats, i;
int rv = -1;
struct daemonClientPrivate *priv =
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册